Consultant specializing in Microsoft Cloud Technologies and Cloud PBX

Menu

Post navigation

A client recently asked me if it was possible to change their default Skype Audio Conferencing phone number, because the one they had been assigned was in a different city than where their headquarters was. While it is possible to do a bulk change in the graphical user interface, doing it in PowerShell was better because we could target the change to only users using the old number. Here is the one-liner powershell syntax that we used:

In the last month (12/8 to 1/3), the Bitcoin market cap has declined from it’s peak of 67% to 37%, while alternative coins such as Ripple have grown from 2% to 14% total market share.

What’s also interesting, is while the top 10 alternate currencies have gained substantially, the bigger story in my opinion is the smaller “startup” alt-coins, also known as the ICO market â€“ “Initial Coin Offering.” There are now more than 1,300 alt-coins listed on coinmarketcap.com, and they have gained from 10% in the last 30 days, capturing almostÂ 20% of the total market cap! Â (see the “Others” white line in the graphic above). New coins are added each week.

Here is an article from CNBC that explains how to invest in Alt-coins such as Ripple. (click here).

Note: If you are going to invest in alt-coins, use the mainstream exchanges such as Binance, Gdax and Bittrex (when they start accepting new users) because there are many ‘fly by night’ exchanges out there that can only be accessed through TOR. It’s tempting since these exchanges are listing the biggest gainers right now (1,000% increase in profit over 7 days according to coinmarketcap.com). Many of these exchanges don’t accept currency directly so you’ll have to start off with a site such as Coinbase, and then transfer the funds from there into other exchanges. Another reason to use mainstream exchanges is they offer Tax reports.Â Otherwise you would have to manually record your gains and losses, which is labor intensive to track since you would have to record the value of the digital currency at the time of the trade. So by using mainstream exchanges, you can benefit from their tax reporting features. Check your exchange (your mileage will vary).

So is too late to invest in cryptocurrencies and other blockchain technology companies?
“The short answer is no, as long as you don’t think the crypto bubble will burst in the near future. However given the trends of the past 48 hours, it’s necessary to invest with great caution. If you’re looking to make a quick million by jumping on the cryptocurrency bandwagon right now, understand that you’re playing with fire. Nevertheless, even with the dip in value of cryptocurrencies in the past two days, there are plenty of undervalued cryptocurrencies that are designed with newly-developed advancements in blockchain technology. If you do invest, it’s worth spending the time to understand the technology and who is developing it â€“ just like investing in a tech stock.”
Reference: https://www.rollingstone.com/culture/features/bitcoin-and-cryptocurrency-what-you-need-to-know-w514552

As a side note, I do think that the Cryptocurrency market is a bubble driven by wild speculation, that will eventually crash. So the best advice is to not invest any money into it that you cannot afford to lose.

This is a quick review of the new groups expiration feature in Office 365.

Pros: Very simple to configure â€“ set a group expiration of 180, 365, or Custom.

Then enter an email address of someone to notify if a group does not have an owner.

Those two settings make perfect sense.

The third setting is why I am writing this blog post. The setting ‘Enable expiration for these Office 365 groups” [All] [Selected] or [None]

Let’s dissect this a bitâ€¦

ALL probably makes sense â€¦

None might make senseâ€¦

Â

But I’m having a hard time understanding when I would select certain groups for expiration. You see, by the very nature these Groups are very dynamic usually â€“ by default, any user can create a group. So if today I pick a set of 15 groups that I want to expire, then tomorrow there could be 30 more created that will not expire. So then, I would have to continuously come back here and update that list if there were some groups that I did not want to have deleted. So my choice would then have to be revert to the None setting.

What’s really needed is an exclusion list, ex: Expire all groups EXCEPT for these 5 that I really really care about. All the others, let the owners decide if they want to keep them, but these 5, I keep important stuff in there, and I don’t want to sweat it about missing an email and potentially losing all that information.

So Microsoft, I hope you are listening, please add an Exclusion button. I posted this idea to the UserVoice site here if you want to vote on it!

Microsoft will end support for Office for Mac 2011 on Oct. 10, 2017 (a date set two years ago). After that date, Microsoft will no longer provide patches for security vulnerabilities or fixes for other bugs, and halt both free and paid assisted support.

[Update 5/25/2018] Per this forum post [here] it looks like blocking legacy authentication is now possible with Conditional Access!.

Azure AD Premium’s Conditional Access feature requires Modern Authentication to function properly. This has led some to believe that legacy clients (ex: Outlook 2010 and older, or Activesync) can bypass Conditional Access Policies.

Based on my testing, this is only half true, as it depends upon the policy that you select. If you select a ‘Grant’ policy then the legacy clients will not be able to bypass your conditional access policy. However, if you select a Block policy, then the legacy clients will bypass it and connect to the service that you want to block.

So the most conservative thing to do is to use a Grant Policy, not a Block policy.

What does the conditional policy mean by “Domain Join” â€“ is it on-premises or is it Azure AD Domain Join, both, or something else? (Answer: on-prem domain join with an account that has been synced by Azure AD Connect to the cloud… with a software deployment required for Windows 7, and a GPO required for Windows 10).

Is it necessary to deploy the Workplace Join v2.1 client to Windows 7 Machines? (Answer: Yes)

Does Azure AD Connect require configuration, and if so, what is the minimum version of Azure AD Connect required? (Yes, you must create a service connection point in Active Directory per this article).

What role does Azure AD Seamless Single Sign-On Play (also referred to as “Desktop SSO” in the Azure AD Connect documentation) Answer: (It provides a similar SSO experience to ADFS, but only when connected to the corporate network. And it is REQUIRED for Windows 7 machines that wish to have Workplace Join work without an ADFS server).

Is ADFS required? (Answer: No)

Is there any configuration necessary in Azure AD? (Answer: Not unless you changed the default settings)

Is it necessary to deploy a Group Policy change? If so, what are those changes? (Answer: For Windows 10, Yes, see below. For Windows 7, you’ll need to push out some Intranet Site to Zone mappings for the Azure Seamless SSO to work)

Is it necessary to create any DNS records? (Answer: Yes, see below)

Domain Join vs Azure AD Domain Join vs Azure AD Registration

If you configure a Conditional Access Policy and select the “require domain joined device” checkbox, what is it checking?

To find out, I created 6 virtual machines to see exactly what works and what does not work.

Computer Name

Operating System

Configuration

Test Results

Notes

Win10DomainJoin

Windows 10.0.15063 (Creators)

On-Prem Domain Joined

Azure AD Connect “Desktop SSO” is enabled

“enterpriseregistration” DNS CNAME exists

Success

Win10DJandReg

Windows 10.0.15063 (Creators)

On-Prem Domain Joined

Azure AD Connect “Desktop SSO” is enabled

“enterpriseregistration” DNS CNAME exists

GPO Applied “Register domain-joined computers as devices”

Success

Â

Win10DJandAADJ

Windows 10.0.15063 (Creators)

On-Prem Domain Joined

Azure AD Connect “Desktop SSO” is enabled

“enterpriseregistration” DNS CNAME exists

Azure AD Domain Joined (aka ‘Workplace Joined’)

GPO *NOT* Applied “Register domain-joined computers as devices”

Success

Win10AADJoined

Windows 10.0.15063 (Creators)

Azure AD Joined Only

Azure AD Connect “Desktop SSO” is enabled

“enterpriseregistration” DNS CNAME exists

GPO *NOT* Applied “Register domain-joined computers as devices”

Fail â€“ Got a block page (see block page example below)

Wasn’t entirely expecting this to work since the screen tip that is in-band of the configuration says that this checkbox does *not* apply to Azure AD joined machines.

Win7DomainJoin

Windows 7 SP1

Azure AD Joined Only

Azure AD Connect “Desktop SSO” is enabled

“enterpriseregistration” DNS CNAME exists

Fail â€“ Got a block page (see block page example below)

Wasn’t expecting this to work â€“ just testing to create a baseline before the Workplace Join client was installed. With no ADFS in the environment â€“ just Azure AD Connect with Desktop SSO and Password Hash Sync.

Win7DJwithWPJ

Windows 7 SP1

Azure AD Joined Only

Azure AD Connect “Desktop SSO” is enabled

“enterpriseregistration” DNS CNAME exists

Workplace Join v2.1 client installed

SUCCESS

I was starting to lose hope after all these failed tests, but we now have a successful test!

The common denominator for the successful test was the DeviceTrustLevel changed to “Managed”

Block Page Example

This is the end-user example of what it looks like when you try to open an application protected by a Conditional Access Policy that requires Domain Join.

DNS Records

According to the documentation, is necessary to register the following DNS CNAME record in both internal and external DNS (if using split-zone / split-brain DNS):

DNS Entry

Type

DNS Value (Address)

enterpriseregistration.contoso.com

CNAME

enterpriseregistration.windows.net

Workplace Join v2.1

For Windows 7 and Windows 8.1 devices, the documentation states that it is necessary to deploy the Workplace Join client (MSI Package) from here. This is not required for Windows 10 systems, which can register to Azure AD via group policy, although in my lab that does not appear to be working, as that does not produce any records when I run get-msoldevice. Perhaps it requires ADFS for Windows 10 machines to work with Domain Join conditional access.

Workplace join Version 2.1 (Released June 2017) added support for Azure Active Directory Seamless Single Sign On (https://aka.ms/hybrid/sso).

Ready for some kludge? The installer creates a scheduled task on the system that runs in the user’s context. The task is triggered when the user signs in to Windows. The task silently registers the device with Azure AD with the user credentials after authenticating using Integrated Windows Authentication. To see the scheduled task, in the device, go to Microsoft > Workplace Join, and then go to the Task Scheduler library.

The two main benefits of this tool in my opinion is that it registers a Windows 7 machine in Azure AD, and, the version 2.1 client makes it so that you don’t have to use ADFS (simplifying the configuration).

Azure AD Seamless Single Sign-On

Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) is required for Windows 7 machines if you are not using ADFS. Instead, users will sign in andÂ register to Azure Device Registration Services.

When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

If you have ADFS, you do not need this feature as ADFS already provides “seamless SSO” (assuming you also deployed the ADFS STS web page to your Local Intranet zone in Internet Explorer).

*Note: The ‘Edge’ web browser is not yet supported. Currently IE, Chrome and Firefox are supported. Firefox requires custom configuration to make it work.

To deploy seamless SSO, you turn it on in Azure AD Connect, then you deploy it through Group Policy.

Azure AD Connect

You must be using version 1.1.484.0 or later of Azure AD Connect. Note: In the screen shot below, Pass-through auth is selected butÂ ‘PasswordÂ Synchronization’ could have been chosen as well.

If you already have an installation of Azure AD Connect, choose “Change user sign-in page” on Azure AD Connect and click “Next”. Then check the “Enable single sign on” option

Completing that step will create a new computer object in Active Directory “AZUREADSSOACC” â€“ if this object is accidentally deleted, users can still logon, but it will just be the standard logon just like prior to seamless SSO being enabled (so it ‘fails open’ so to speak). For more information see the technical deep dive here.

Group Policy

You can add the Azure AD device authentication end-point to the local Intranet zones to avoid certificate prompts when authenticating the device. This works for both IE and Chrome which both share the same setting. For other browsers see the references section.

To roll this out in a group policy object, here are the steps:

Open the Group Policy Management tool on a domain controller, ex: start > run > gpmc.msc

Note: One of the references only listed the first URL, whereas another reference listed the bottom two. Since the documentation was not consistent, I’m including all three to be safe.

Note:Â Rollout the above GPO at your own risk… It will add these and lock out/removeÂ any other intranet site zones your users may have manually configured. My personal preference is to deployÂ these as group policy preferences instead.

Azure AD Configuration

By default, Azure AD enables users to register devices. So unless someone in your organization changed this setting, you should not have to change this. This is found in http://portal.azure.com then find Azure Active Directory > Users and groups > Device settings. The policy “Users may register their devices with Azure AD” must be set to “All” (which is the default setting).

Windows 10

All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 automatically register with Azure AD at device restart or user sign-in. However, Windows 10 November 2015 Update automatically registers with Azure AD only if the rollout Group Policy object is set. So the best thing to do is configure a Group Policy object to control the rollout of automatic registration of Windows 10 and Windows Server 2016 domain-joined computers.

Testing

The output of this cmdlet shows devices registered in Azure AD. To get all devices, use the -All parameter, and then filter them using the deviceTrustType property. Domain joined devices have a value of Domain Joined. In my testing, the only combination that seemed to work with conditional access is when the DeviceTrustType was Domain Joined, and the DeviceTrustLevel was Managed.

To test the scenario where the user enters only the username, but not the password:

Tips

When configuring your first conditional access policy, apply it to a test user, and apply it for only one cloud app. This prevents you from accidentally locking yourself or others out. See best practices reference below for more good ideas.

Troubleshooting

Check to make sure the computer account is syncing to the cloud by running get-msoldevice. If it does not show up there, then make sure the OU or container containing the computer objects is being synced. If it shows up there, it must have DeviceTrustType = ‘Domain Joined’ and DeviceTrustLevel = ‘Managed’

For Windows 10 only, Check to see if the computer object contains a value in the userCertificate attribute. If not, this means that the computer is unable to read the value of the SCP object in Active Directory. Check to make sure that the Authenticated Users group is not missing from the “Device Registration Configuration” object. Â To see if it can query the SCP, run this command:$config = [ADSI] “LDAP://CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=YourDomain,DC=com”;$config

On Windows 10, Run the dsregcmd /status and make sure ‘AzureAdJoined’ is Yes and ‘IsUserAzureAD’ is Yes
Under User State, verify that WamDefaultSet is Yes, WamDefaultAuthority is organizations, WamDefaultId is https://login.microsoft.com, AzureAdPrt is Yes, and WamDefaultGUID contains a value.

For Windows 7 only, run autoWorkplaceJoin.exe /i to find out the current status of the device, this will also provide helpful error messages as well.

Enable Debug and Analytic logs in Event Viewer. Click the View menu. Select Show Analytic and Debug Logs to make these logs visible.Â Enable logs under Applications and Services Logs > Microsoft > Windows > User Device Registration, and then export the logs for Admin and Analytic folders about five minutes after you have rebooted (or signed-out/in)

When pushing out the Workplace Join Client, users may get a pop-up “To continue, this application needs to create a key.”
To suppress this, you can push out a group policy object to not require user input for storing certificates.

Before I discuss the limitations of any product, I try my best to point out all of the things I appreciate about a product. In general, you will not hear Microsoft tell you about product limitations. I suspect it is a culture thing. But then again, do you expect a new car salesman to tell you about the limitations of the car they are trying to sell you?

So let me first point out that I have been a longtime fan of Microsoft’s Rights Management Services (RMS) which debuted in Windows Server 2003. As the product evolved over the years into what is now called Azure Information Protection, I became an even greater admirer of the product as well as the team within Microsoft responsible for its development.

A key milestone came when RMS was ported to Azure, because it became easy to enable (with one mouse click), eliminating the effort to configure servers on-premises, and especially the underlying Public Key Infrastructure (PKI) environment that RMS required.

With the rise in popularity of Office 365 (100 Million subscribers), many began to take advantage of RMS because it is included for free in the most popular business subscription (known as the “E3” license).

One of my favorite RMS features came in September of 2015, when Microsoft announced Document Tracking and Revocation capabilities (here). I’m still amazed by how cool this feature is, allowing you to see a map of the world and the location of where your documents have been opened!

Another key milestone in the evolution of RMS came when they acquired Secure Islands (announced by Takeshi Numoto on 11/9/2015). Six months later, Dan Plastina (@TheRMSGuy) first announced on 6/22/16 (here) that RMS would be rebranded as “Azure Information Protection” (AIP) and later reached general availability in October 2016 (here).

AIP is a truly jaw-dropping experience. As you are authoring content, the document will automatically be labeled and encrypted with a strong 2048 bit encryption key on-the-fly if sensitive information is found (ex: credit card numbers, social security numbers, or data you define as sensitive using regular expressions).

As a consultant, my job is to listen to customer problems, and then recommend solutions. This leads me to the title of this post â€“ AIP Limitations.

Azure Information Protection Limitations

1. External Sharing using AIP with business partners who are still running Office 2010 (or older) needs improvement

When you protect a document with AIP, and you want to send that document to an external user, things go smoothly if they are running Office 2013 or Office 2016.

However, a lot of companies still run Office 2010. This is what their experience would look like:

“Dear External User,

We would like to share sensitive documents with you. If you are running Office 2013 or 2016, and if you have an Office 365 subscription, then you should be able to open the attachments without a problem.

Otherwise, if you are using Office 2010, you will need the following before you can open the documents we send you:

Local Administrator Rights are required to install the Azure Information Protection Client

Download and install the Azure Information Protection Client

If you are running Windows 7, you first need to install KB 2533623 (This will require a reboot)

Note: Office 2010 require Microsoft Online Services Sign-in Assistant version 7.250.4303.0. This version is included with the AIP client installation, however, if you have a later version of the Sign-in Assistant, uninstall it before you install the Azure Information Protection client.

Note: The AIP Client will automatically install the .NET 4.6.2 Framework, so be sure not to deploy this on any machine that has known compatibility issues with the 4.6.2 framework.

Be advised, that in some cases, even if you follow all of the steps above, you may still get an error message when attempting to open an RMS or AIP protected document in Office 2010. The work-around is to create a few registry entries for the service location as documented in the AIP Client Admin guide (here).

If you do not have an Office 365 Subscription, you will need to sign up for “RMS for Individuals” (this is a free identity platform that allows you to open the documents we send to you).”

2. Ad/Hoc External Sharing using an AIP Label is not possible

Let’s say you get a call from a new customer or business partner who wants you to send them a Microsoft Word document. The document is too large to email so you host it in online storage (ex: OneDrive, SharePoint, Dropbox, etc). You might be tempted to click an AIP label that says “Business Partner” or “Client Confidential” but that would not work in the current implementation of AIP, because the Labels must be associated with an RMS Template, and RMS Templates must be associated with Mail Enabled Security Groups, and those Groups must contain a Contact Object. Since normal end-users cannot create contact objects in their Active Directory or Azure Active Directory, they must submit a helpdesk ticket for the external contact to be created, then added to the appropriate Mail Enabled Security Group. You get the picture that this process just broke down fast. Essentially, there is no way with AIP today to associate a label with ad/hoc external sharing. Labels can only be used for defined and known business partners who are pre-configured as contact objects in a group associated with an RMS template that is then tied to a Label. It would be just as exhausting to implement this in a process as it was to type this all out I am sure!

3. There is no Mac OSX client for Azure Information Protection.
The work-around, as best as I can tell, is to have Mac users try the legacy “RMS Sharing App” for Mac OSX. This was the application written before the AIP client was released.

4.In April of 2016, there was a vulnerability discovered in the RMS technology that allows someone with View rights to escalate their privilege and change the document by stripping RMS from the document (which could be potentially undesirable if they then re-share that document with unauthorized parties, or if that document is exposed in the wild (ex: lost/stolen laptop, ransomware, etc). This is documented on Wikipedia here, and proof of concept code is available for testing from GitHub (here). This issue isn’t too great in my opinion, because it requires that one of the named users who is authorized to view the document has to compromise the document. In other words, an unauthorized party cannot break the 2048 bit encryption.

5.OneDrive.Protecting documents with AIP or RMS automatically when they are uploaded to OneDrive is currently not a great idea. First, Microsoft has removed the navigation button permitting you to do this, so you would have to find the direct hyperlink to the document library settings to enable IRM on your OneDrive document library. Even if you were to do this, it would prevent you from sharing any of those documents with outside users because there is no straight-forward way to make a OneDrive library’s IRM settings understand external users. It essentially ends the ad/hoc sharing capabilities of OneDrive. Perhaps that is why MSFT removed the navigation button for site settings in OneDrive.

Guidance

So given these limitations, what do I recommend?

I recommend you use AIP to protect sensitive information that should be accessible to internal employees, or known/named individuals from business partners. When communicating with the business partner for the first time, try to find out if they use Office 2010, and if so, warn them that it will be a rocky road for them (see sample email template above). Fortunately, Office 2013 and 2016 seem to natively open AIP encrypted documents.

If you need to share documents with encryption in transit, then use Office 365 Message Encryption (OME). The limitation of OME (today) is that the recipient can save the document and do anything they want to it (the encryption does not follow the attachments after the recipient saves it to their computer). This will be resolved with the upcoming Secure Email feature that was announced at the 2016 Ignite conference.

If you need to securely share emails and documents with Gmail users, then wait for the upcoming Secure Email solution that was announced at the 2016 Microsoft ignite conference (watch the video here, starting around the 46 minute mark).

Roadmap

Will things get better? In many cases, yes, however, not for the external user who needs to edit the AIP/RMS protected document using Office 2010.
The proposed Secure Email solution will make it seemless for any user to VIEW AIP/RMS protected documents by providing a web-browser experience. But if the business process requires the external user to make changes and send those back, my understanding is that capability is not going to be in Secure Email when it is released (from what I have heard anyway). To be clear, if the external user is given edit rights, and if they are still on Office 2010, they are going to have the same pain points as I described above with Office 2010.

AIP Licensing

AIP can be licensed in one of four methods:

You can get AIP as a standalone license for $2/user/month.

You can get AIP as part of the Azure Active Directory Premium P1 or P2 license families.

You can get AIP in the Enterprise Mobility + Security E3 or E5 license families.

Or you can get AIP as part of the Secure Productive Enterprise E3 or E5 license families.

If you just need the original RMS capabilities (encryption, access control and policy enforcement) then you can license that individually or as part of the Office 365 E3 license.

If you need the Document Tracking and Revocation Capabilities, you’ll find that in the Enterprise Mobility + Security E3 or Secure Productive Enterprise E3.

Note: AIP automatic labeling is an advanced feature that requires the AADP P2, or EMS E5, or SPE E5 license. Otherwise, the down-level version of AIP requires the user to manually label documents they create.

Just got off a phone call with some engineers at Microsoft who informed me that both Cisco and Microsoft have mutually agreed that using a Cisco Meraki firewall is not recommended for creating site to site (S2S) VPN tunnels to Microsoft Azure.

The issue is the Phase 1 IKE Timeout value that the Meraki uses is not supported.

This was rumored to be fixed in late 2016, and then later in a firmware update in February 2017, but as of yet, we have not seen it yet.

If anyone has updated information on this please post it in the comments as I have a few clients running the Meraki’s.

During the installation of Skype for Business 2017 you may run into errors if you select ‘Connect to the internet to check for updates’ andyou also change the default installation location to something other than the C:\ drive. There is a potential third variable that might be required to run into problems as well: If you do not initially deploy conferencing during the front end pool wizard in topology builder. (Additional testing would need to be done to further isolate it from here).

The error that you may run into actually happens later, during the server component installation, and it is:

The solution was to uninstall just the Skype components from control panel and then re-run setup. Only took 10 minutes so wasn’t too big of a deal. But now we must remember to manually apply the latest cumulative updates after the installation completes =)

The Uninstall order (for what it is worth) is the following:

(First uninstall XMPP then proceed with uninstalling the core components last). It is not necessary to remove all the language packs and local SQL instances (at least in my case it wasn’t).

At this point you will be able to successfully complete the full installation of Skype for Business. But you are not out of the woods yet! Because when you attempt to apply the latest cumulative update (in my case it was February 2017) then you will have that same Error 1603 on the Conferencing Service (OCSMCU.msi). When digging into the log files it appears that it is trying to find some files on the C:\ drive despite that during the installation, we selected a custom install path to the E:\ drive.Â

The solution for me was to uninstall again a 2nd time, and this time I updated the Topology builder to include all of the AV Conferencing Options.

So my recommendation is to deploy to the C:\ Drive (just make it a large drive like 250GB) and to initially deploy all of the conferencing features to avoid these issues.